Card skimmers are actively attacking numerous e-commerce websites since many have been relying on them now more than ever. In a new technique discovered by the Malwarebytes team, a group of Magecart attackers is found to be hiding their malicious data-stealing code behind an image file’s metadata! And also exfiltrating the stolen data via an image file.

A New Card Skimming Technique

Along with security researchers, hackers too have been evolving with new techniques for evading detections. In the field of credit card skimming, e-commerce websites with least to no security walls are being attacked by Magecart hackers. The group has successfully infected and stolen known companies like British Airways and Ticketmaster, and now, there’s another variant with a new style of attacking.

New Magecart Hackers Are Hiding Their Malicious Script Within Image MetadataNamed as Magecart Group 9, this variant of attackers are found to be clever in hiding their malicious JavaScript code within an image on an e-commerce website, that will be loaded by the site itself. As the Malwarebytes team reported, a suspiciously looking image was found to be hosting the malicious script in its EXIF metadata.

An online store with a WordPress e-commerce plugin would trigger the code. Upon analyzing the code, it was traced back to a domain called cddn[.]site, which is loaded through a favicon file. While the code seemed good initially, researchers stumbled upon the “field called “Copyright” in the metadata field loaded the card skimmer using a < IMG > header tag, specifically via an HTML onerror event, which triggers if an error occurs when loading an external resource” as explained by ZDNet.

Upon loading this malicious code by the e-commerce site, it will capture the sensitive data like card details, billing address, and names that are being entered into the payment page. Hackers here are so clever to obfuscate the code and even exfiltrate the stolen data too in an image file, via POST requests.


Please enter your comment!
Please enter your name here